third-party cyber risk management
Threatonomics

Fortifying Defenses: Effective Third-Party Risk Management in Cybersecurity

by Si West , Director, Customer Engagement
Published

As cybercriminals continue to evolve their strategies and target vulnerabilities in digital systems, businesses face an increasing need for robust third-party risk management. The first half of 2023 has been no exception, memorialized as a period marked by significant shifts in cybercriminal strategies. Notably, these evolving tactics have aimed at an often-overlooked aspect of cybersecurity–the third-party attack surface.

As headlines have been dominated by reports of high-profile cyber attacks on major organizations, one common denominator has emerged– many of these incidents were made possible by exploiting vulnerabilities residing within third-party vendors. Large organizations on average maintain 173 vendors within their supply chain, creating a massive attack surface with huge potential for security gaps. This growing threat has thrust the need for robust third-party risk management strategies to the forefront of discussion.

Comprehensive third-party risk management is crucial to safeguarding businesses and protecting sensitive data from cyber threats– a key component of Cyber Resilience.

Adapting to New Cyber Threats

The Resilience 2023 Mid-Year Cyber Claims Report reveals a strategic shift among cybercriminals toward exploiting vulnerabilities in third-party vendors. This trend has had a broader impact on organizations, leading to domino-style data breaches that devastate multiple businesses.

Insights from the Resilience 2023 Mid-Year Cyber Claims Report

Recovery Improvements: Those who experienced ransomware to the point that a payment was demanded were still technically hit. The fact that only 15% had to pay tells me that the other 75% likely had good recovery strategies in place which allowed them to forgo a ransom payment.

Shift Towards Larger Targets: The report indicates a strategic move by cybercriminals towards targeting larger organizations, a tactic known as “big-game hunting,” evidenced by increased ransom demands.

Vulnerability of Third-Party Vendors: The MOVEit attacks underscore the risks posed by third-party vendors, now identified as the leading vulnerability point in cybersecurity incidents.

Emergence of Encryption-less Extortion: A pivot towards encryption-less extortion tactics, where cybercriminals steal sensitive data and demand a ransom by threatening to release or sell the information without encrypting it, has been observed, complicating the detection and response to cyber threats.

Broad Industry Targeting: Cybercriminals have broadened their targets beyond traditional sectors, with manufacturing and education notably impacted in recent attacks.

Elevating Cybersecurity Through Strategic Third-Party Risk Management

Protecting your organization’s data, infrastructure, and other assets now requires extending security measures to include the attack-surface of each third-party vendor. Here’s how organizations can strengthen their defenses with thorough protocol development, security monitoring, and rigorous vendor assessments.

Protocol Development and Enforcement: Establishing clear, detailed protocols for your vendors to follow is critical for any effective third-party risk management program. These protocols outline security and insurance requirements and expectations for third-party vendors. Creating these protocols is just the start; the real impact comes from regularly auditing and enforcing these policies. Incorporating these standards into contracts makes compliance mandatory, improving the security compliance of the vendor network.

Comprehensive Vendor Assessment: A key element in third-party risk management is regularly performing thorough security assessments of vendors. These assessments examine the vendors’ cybersecurity framework, incident response capabilities, compliance with industry standards, and coverage. Organizations can use security frameworks, such as the NIST CSF or ISO 27001, to establish a vendor risk assessment process that uncover possible weaknesses within vendor networks. Having open discussions with vendors about assessment results and working together to address security issues is essential to sustain a solid cybersecurity posture against threats from any potential gaps within the supply chain.

Enhanced Security Controls: Proactive security measures up and down the supply chain are essential to counter dynamic threats that could trigger a sprawling incident. Implementing advanced security protocols and continuously monitoring third-parties can prevent potential threats. Tools like automated security scanning and real-time threat detection are crucial, allowing quick identification and response to vulnerabilities. Establishing procedures for immediate action when security breaches are detected strengthens an organization’s defense against cyber threats.

Integrating Risk Management into Cybersecurity Strategy

Integrating third-party risk management (TPRM) into a broader cybersecurity strategy is essential for creating a holistic defense framework that closes security gaps and understands its full value-at-risk. To integrate TPRM objectives with overall cybersecurity goals and strengthen the organization’s security posture, security leaders must actively seek out these gaps to address vendor risks.

Third-party risk governance and frameworks ensure that third-party engagements are managed under strict security standards to mitigate the damage of external entities’ data breaches and cyber threats. Organizations can maintain oversight over their vendor’s cybersecurity practices by implementing a unified strategy with each vendor. Working closely and maintaining strong relationships with your third-party enhances visibility into risks, facilitates better decision-making, and ensures a cohesive response to threats. By embedding TPRM into the cybersecurity strategy, organizations can ensure that security measures are consistently applied across all external partnerships, minimizing vulnerabilities and enhancing resilience against threats in the supply chain.

Anticipating Future Challenges 

Organizations must prioritize adaptability and agility to effectively anticipate and counter future cybersecurity challenges. This requires maintaining up-to-date knowledge of emerging trends and leveraging advanced threat intelligence.

The evolving tactics of cybercriminals in 2023 underscores the necessity of proactive strategies and continual evaluation of risk management capabilities. This involves staying abreast of industry developments, sharing intelligence internally and with trusted partners, and implementing measures to quickly address identified risks.

Embracing advanced technologies and fostering collaboration with industry peers helps organizations bolster their ability to detect and respond to emerging threats. By acquiring knowledge, utilizing advanced threat intelligence, and implementing robust cybersecurity measures, organizations can effectively anticipate and counter future challenges, strengthening their overall resilience. Strengthen your cybersecurity with our expert demo – see how our solutions protect your operations.

About the Author
Si West , Director, Customer Engagement

You might also like

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]